With the rapidly approaching deadline for the deprecation of the old MSONLINE and AZUREAD PowerShell modules, I'm trying to get to grips with converting some of my (many hundreds) of scripts that I've built up over the years to their MS Graph equivalents. I'm stuck on one single, seemingly simple translation.
Many of my scripts require certain admin rights in an M365 tenant, and in trying to be a good citizen, I attempt to deal with that gracefully by checking the admin roles assigned to the current logged on user (these are scripts which run under a logged in user context, using delegated rights). At this point, please don't suggest the answer is to set up an app registration & run with app rights instead - that very often isn't an option when I just need to run a quick impromptu script in a customer's tenant.
So, near the top of my script, I have this:
$myroles=Get-MsolUserRole -UserPrincipalName $currentuser
Which quickly, simply, and reliably returns all the Entra ID admin roles, by name, assigned to $currentuser at this moment - and it doesn't matter if those roles are activated via PIM, or are direct or indirect assignments (i.e. via a security group) - so if I am currently assigned the Global Reader role - by whatever means you can imagine - then there will be 1 entry in the returned data like:
ObjectId Name
-------- ----
f2ef992c-3afb-46b9-b7cf-a126ee74c451 Global Reader
I use the Name property in the result to figure out if the script has enough rights to run, and if not, politely exit. So, how to translate that into a graph equivalent?
I've had some success with the cmdlet Get-MgUserMemberOf which returns the groups and directory roles that the user is a direct member of - however, in my current use case, the admin roles are not assigned directly, but are indirectly assigned via a security group membership, and that group membership is managed through PIM. Thus the output from this cmdlet shows NO admin roles, it only shows my group memberships, and there is nothing in the output from which I can infer admin role membership (so essentially useless for my purpose).
The other likely candidate would appear to be Get-MgRoleManagementDirectoryRoleAssignment - but that returns nothing immediately useful - just a hulking great list of GUIDS - Which it seems I need to do a lot more with before I can get what I need (I'm still working on that) - this is what I've been struggling with for a few hours now...
So, finally, to my question: can anyone suggest a means by which I can, in an interactively run PS script, determine what Entra admin roles the currently signed in user holds, via ms Graph PS cmdlets?